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(54) CARD SYSTEM IMPROVING PRIVACY PROTECTION 

(57)Abstract: 

PROBLEM TO BE SOLVED: To give the entire 
advantages of a complete data warehouse by receiving a 
request from a consumer, asking the consumer for 
consumer information, etc., storing a proxy which 
identifies the customer and is proper to the customer in 
the data warehouse and issuing a privacy card. 
SOLUTION: First, a request for a consumer privacy card 
such as a favorer card 138 or a smart card 136 is 
received from a customer. This is accomplished via the 
Internet 126 performed through a modem 130, telephone 
132 or a kiosk/ ATM 134. Next, the consumer receives 
interrogating for obtaining consumer information and 
privacy preference. Then, a proxy proper to the 
customer which identifies the customer is generated, is 
associated with the personal information of the 
customer and is stored in a data warehouse. And, a 
privacy card that expresses the privacy preference of 
the customer clearly is issued. 
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[;M* J fil ] jJ— K£r*a6& y y*^x h £ 

KrW ?¥#ic ^Vf^-ftJWfc J: t>'7" 7 -f^y-yi/7 7 i/y 
:*£Pp^^i±£*7 ^t , 

3 ^ -7 y 7" <!: r t £W» b i~ & y*— 9 •> * T £ 

yJi&o 

[I»*il2] «£H*T7 p n*v'£7 f — * [)xr^!>^l: 

J* 7" ci * & ft* 7 4 ' < > — 1) — K tc ft jfifti* -5 7. -7 ^ ^ 
[fflf*Jl3 ] ^7^^'^-^- Kt^t^ — Kt7- K"C 
[§f*Jf4] IS@f^D^i/^-^|)xr^^7|: 

y^ 

[f**JS5] fS^n^^Sr^^fflffijSI^**!)^ y y*^ 
§ £ ffi Wl 3 I ( w ffl "t- 5 7 r - * £ f £ -f u * > ( z m M <3 1 1 -5 * 7- 

RBSjI^ttfcteiSE^Ix — * SrR^— * ^7^[77{;: 
-f & x 7 3/ b & £ tb ^ ^ if r t £ iWrfSk <t -r 6 m * 

I S r N » # w # 7c £ fia ^ % fg - f & * 7 3/ 7" b , 

7 : '— 4/ ^ r ✓ ^ x {cfejjw £ nr t > & i£ 7" 7 *>— 7* 

%% ffi St# ^ »#<B A ft J: y 4 ' <*s— u 7 r 
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IK 7 d £ ^ tr y 7 -f ^ x - ^7 - K & i!S I ^ % ? t -= J ■ • 

fat, 

R^7^/< ^ — lb ^ o Hrc^lS S f© 

20 t, 

[1***13] R7 P ^^^^^•^/-c^l^^l^*^-5 y 9 
t, 

t&^-r 5 &m b * $ $ tp r t ^r«p« b -r 5 ts*ii 9 

i0 [W*3S14] BEt"— ^ ^xT^^^^jW/y-f^y- 
yuy 7 is>-*$:Wm-tZ>~bCDV h^:fS?B»# 

7 -</<v'-7 p u77 uy^f If^^C^oTi 
t-'—^ !>*T^^'?^izfejW$ix-ci^K>^7'Y^<'>— y n . 

b -r^m^m 9 tifs^^^^ 0 

[»** 1 6 ] m9k<D'\*Km%&* ^Lxmmftmft 

Jl9{rfB-®co^B 0 
[M*iHl 7] ^>-t°^ — ?x*m^m*)»im/i:y'a >/=y 
L t f - ^ y x 7^ ^ Cl^^ $ ti 1 1 ^> 

7*— ^ coiixft *d <t t>ia^ srMfflii- ^ 77^ ^ ijetT-r & ^ 
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fffio 



^y^k&1%isZk*W\&k1rZ>'7u V^^temm 



'ft. 

Ii»*ig2 2] 

"rv-fk, 

W»<!:i-5l**iSi 7(cfe^co^fi 0 
Bg^col«te!#^] 
[0 0 0 1 ] 

[0002] 

ft, SEAT, *5J:i^H¥W**SO(cffifens 0 ZiD&oftjz 
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[0003] wn<b<^^— ^ ^ir/^^^^r♦sjsrt^n^ 
fit**ia^ coy— *a*ibfij*L 0 & D —ot^trr^/jr^— 
^ ^^z^N^^fbr^y >r— v-a t'^^^ffltgat yiH 

^ Srftje*?- & 7t #\ *> J: t/ffii p p pffi/lii &* 3iW-f 6 ti *!> /J - 
OK Aia^ds J: t>'lt!!«c WW A-Sfftj ^ *a=-i- 5 0(^1, fit* J i j 
[0 0 0 4] McO^||#Tt3flSlA7— ^WfiEffi^(FTltSiw 

is&ftm&kLxmfe'tzzk&x-tz. mm 

5w d: fo^fio>* 0 D^ r xfyu^.^ofilA^2^; 
@ ("OffiiSiRfes^ Mi 3i >r -r ->>^<ox o t£^.t£ 

Z>y—\?*<nffi3z<DmMtk Lt#£ts:i^t^ -5 e 

[0 0 0 5] ^ ■>^T^^•>^^*^■#ii, # 

[0 0 0 6] 

i-S«fflliaR?B»#*co^TcofiAt»-ffl (^fi&, m 

iir^r i^-e^So &S»^i-(ir<7)lBA-SSl(i^^/j» 
Stt?H»#<0#7c (identification) -Sr*t*tS« i: 
^0 -^9 -C&Wf nk<D~^<nyjis—zf\z.ftm-tZ>z k tfx 

*btftn^SfawfflArft»«^ fco 

Ifi] ^ BD 5 tf « Sr t# S f £ ffi ^ -5 * ct 1) -X Z> /> » 6 T* 

fc^>o tH»#<*o#7c**i-fflA*W«(iJ: ^*K!9iAA / ffjB 

Am»#^»AB«^»w*-nr8ij^m»w 

[0 0 0 7] fflAv*— ^(^iRft^i«*:L-C^SSfJwj|i] 
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[0 0 0 8] twj: 9^r-'"^coi5itt^J:t>mr^A^ 
£ j& Jt ^ J f til (F> -f d ^ 7 -A & f # -5 (D I c # ^ [] 1 ' & - k % 
„ ^ (wBai-s^Sftw^ia^, 

[0 0 0 9] -^Gt^TCOJi&T^ib, iI»Offl**J«!:|5l 

ot, r 5 — ^^S3E^iR*$ttSi-otirfflAtcBBt"-57 f 
-*coftffl±, <B^Aco«l*iJ^3jE^mB^/«coT^So 
[0010] 

r>xcot~^rco#iJ^^^x^^^^A^J;^^^^.x. 
[001 1 ] 

IfiKiaSrWftt-S/h*!)^©] co^BT&^a Si: , 50 
ilX J: XMZM £r fflffl-t Z> *ST'fcot, 1* ' < v"— 

[0012] m-<nmmfrt>frz>k, ^wra?*— 40 

^fcofdAtf^ (J^T, *N»#fflA««<t^?) ^£0^ 
7^(^y-/i/77^>^ (privacy preferences, 'f 
yjs<i/- ft| j co 7t i6 iC jg# f 5 * Pp^ ^ :b-t± 6 

?S^*^(^]3^t'S^:«>O]Ba:(c@fi-c0^ p D^-^ 
(customer unique proxy, J£JLT\ I§@tyn af ^ £ 



tfrllfl 2 0 0 0 - 1 4 8 9 2-1 
6 

atttr^tfz k &mxki-zmim^mwznz 0 

[0 0 13] tftE.<Dmffifr<b&Z>k-4zftWlZ, ^>t r r, 
— ^ £ 31 T ^ </" * ClftW £ tlX I ^ ^ ^ (7^HX^^j J; t>* 

E*^ffl}flt-S3t^60*a;*^frt-S >' i::" 

#lw ?H J: t>'y°5 >r ^< V u -y r u >- x 
&Ra^ft;b-t!:£ y 4 flMH <Sr In] U* ; ~) ' K> Ht\ % Mil f r 

ftir&x7yyk&$tsftm&ft-tZ> 0 

[0014] #%£w<D—mmmte, t^rwf-^, 

LrsaSttfc^-^Wffiffl&gtfi&L (administer) Kd 
ift-tS (record) ^7>f^^^f-^y^7^ (pr 
ivacy metadata system) $r t)^iJfflt"-5 0 zco^^y*— 
^^fiJffltSt- tr*«tffi (metadata service, J^T, 

t^TO^r^®^lpJ^^7t-7 7 h (au 
di table format) T>g»U ^t£L, D^fS^^rSi5^ 
k&*imz1rz> 0 
[0015] 

[0016] El 1 (±7^— ^ V^Ts^pXiki/XTJ* 1 0 

(i, ^1-— oai^ffiKx — ^-<-x (extended datab 
ases) 1 0 6 1 6 f - ^ ^ f 1 y 7 7 ^ (da 

tabase management system) 1 0 4^- "bo, 
tp^LTs^^^s (secure data warehouse) 1 0 2 £r*a 

fro 

[0 0 17] v^"— ^-<—^co— ocoii^^^^jii^ 

(virtual table) ^^11, ^(Dfe^&T*— 9 

m k^z.*??-? k LT«#i-Sfig^T-foSo 

(view) fc^VMir-^^-^ t'a- (data view) <t 
— ^fcT^ — r^-^t'V-j i:^ 0 ) -F-^t-,*- 

-?^-xft<Dk*^izbmmm^mi£{t£titii\ 

-^T^'fe^liMtLt) , t""— ^ LTit 
^c^ti^o m*<D77^ '<is—Mm (privacy rules, 
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ffMi^rfS^S-r — 9 t"^- (ji^T, ^-f— h (suite) <b 
i^O) fflton^ 7y4 -r — 9 t'a — t^o^ 
X<D*9 7-9 (x-^ fc-^-^W N -T-^ f^^ijco 

aft t rm<> it -c w (c ^ t $ ^ 0 * <o 

ft*>'J, t"'-^ Sfr^SiBcW^-^* (basetable) 

^>tz<mWz^ 7—9 t'^-!:^tLT/i-^ v- 3 v^- 
[0018] f*^-r — * £ r ^ £ ^ (secure data wa 
rehouse) 1 0 2 (i£ tfcKf*— 1 0 6 f*I 

^t'^L— (privacy metadata dataviews) 108^^^- 
h £"a tr 0 tt — l 0 6 rttfjf*— ^fiw^-x-f — 

[0019] Mf-^-<~^ i o 6rtid»*fi$ixrt^ 

S -r — 9 ^comW±i-^<Xco r ^ ir ^ it 7— 9 tfa- ^ 

h i o 8 &frLx<D&~5-jLt>tiz> 0 l^ot, t* 
v^^rz/y 7— ^ a > i i 04sj;rw— K'*— -r-f r 

— id J; 9 SIF^^St*— 9<D?*\z.T9'tz>~l?% S c — H 
KEfflJ-Cfi, itf^7'7^^>'-/k77 7>^ (pref 
erences, ^ Lt ^ t>W <b LrStR$nfc*W £4£$J 50 
l-L^*W4^.lbHS, l^U ^(Oj^^itT- 
^-v^— (audit module) 1 l S frfy*) t\ ttfX 

t$fi£ (privacy metadata monitoring extensions, JL^T 

p m d s tt3ft*if£ * &miz * * * mu^mmm t 

[0 0 2 0] t"'— 9^<— <DT9±X&^ 7y^/<^ 40 

— t 2 — 9 fa-^^- h l 0 SCJ:^) &OHoC0g#J6Q 
it^idftiiJPSLT4-x.^^L6 : (1) iAf-^^I^i; 

ir, (2) mmf&^mtR&Lfrw^aiT ?izx&mR-t 

-^^J;r>'teA7--^^Ji-iafflL9S) , &J;i>' (3) 

ii^^i^fflf^^il^i-g<5^Tiiffl^il^(7)/ii6(C^ 

f? m&is^—v) zmw-tz^t (cnicioT, » 

^ t& ^ * co i r *f L T fpj h fr<D Bffl 7 
7 y ^P&^$ftT^6tT&8'JI»U L/:^ot:ni: 50 



WliH 2 0 0 0 - l -I S 9 v 

rV 

lbl|-£) 0 

[0 0 2 1 ] t*— * t'a-108 tmim-fZ>?7'(T> 
-f T > h 1 24(j:^7^f7y hi 2 4 ibflXffi £ n/i7 : ' 
607^-^coM^^oJ:r>*^(i^ m^ta-/? '/ 

4>1 2 8, ^r-'^l 3 0, ^iCj;-6miSiiff^ 1 3 
2 &5^f43r2i-;*^ 1 3 4 , POSirfe^-?:COft!l<75-7 : -V'< 

«ffl*14 0S:ffiffllt, I«t5^t^-C#5 0 ^rfiO 

ilg^#^- Kl 3 8 ZWrr^tZZ t tfT*$Z>* *3r^ 
VPOSgfl 3 4 1*77 ^ \s y t 

T, ^VPOS 13 4, J*-^- hTJi— Kl 3 6, 
?0 &SVMi»«B**- Kl 3 8 ^rf^ffl Lt, 

-t^5 e Kl 3 8^m*fi*i5c8i^lfffl 

S> 5*^(1, ^r^x^ i 3 4(i^S*cffi;i:r«a$:5!*fr 

— Kl 3 8*>S^(i^-e— h^7— Kl 3 6^ftfflt5Sl 

0 So 

[0 0 2 2] Z<D4^* — 7 = ~x&ftLxffi&m&T 

— fis^T I) (data sharing) (retent 
ion) (D7l/7r i^T*#So ^ti 

(/r-^ v-xm y^i/77 u^^t^ix^c 

S£WTT*fflAW«SriS«rL-, ^fcfi^LfoS^iiftJiA 

^##^^toj: 5 ^f-^^ilf^" K-7°n 7?2*<n 

«EWW»tlf^e Wtciffiffl^ix, feStMii^- Kv"—7 

[0 0 2 3] 9 7— 9 V^T'^j'M\Lis*v-U 1 0 
Oii^Tc, 7°7>f^^t-t^l 5 0^^LT^7-< 
TV h irft^T^— ^ ^xT^^x l 0 2 t coPp^g^iifi 
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l 5 2^Jj:tKftii(^f^StS^ 1 5 4 y-trx U 
ifx 3 I fn * f i & i "Xi-^f- y V * r ^ t * ft (DW% f*H 

-r v^-7x-7*i? a -;u i 6 o^m^ti^o «s 

-7"'— y ^7^^ 1 0 2 <t<7>aff li^D ^rya- 
|5]^#lllI*{£ffl-tSo wO[s]^(j:y7>fAy-t-t:^ 

[0 0 2 4 ] 7-—? fc*^— *>f — h 1 0 8 (i^ffllCfitK 

t"^ — X-f — h l 0 8 y 7^^) 

x i o 2 ^^^^-r^Tt^^^U^^o^S^^:^ 

[0 0 2 5] ft&T — ZV^T'^Ts 1021)^/:^^ 

tt'Mmmi i 4 (j: «toTj««(iiHA^— ^(OfjEffl^jg^l 20 
irZtzft<Dmm$:ft£.& J £Z>ZkfcX~£* tilt* #7* — 
Vfc&^m^'ACtzk 1 1 6*fcii8i9r8L 

££ff^6 ~ <h^T^3 0 jp*oofflAW«a*t£K^-* 
1 0 e^ibtc^iftb*i£££, SfcfiteKr-*— ^ 
-<-x 1 0 6 (zilTiA^^^^ti^x!: te^'-y^- 
x j o G Ulfc^Znxit^zmftlfcftMIRr V IV (opt- 
out del imiters) ^?3J:KitLir#, foStMi-^^fcfi-r 
-^t^-^/^/tx^ix^itC, *B»#tey — 

[0 0 2 6] ^fWKteiKll4l^f:f- 

<t^ct9, m^tzmmy—*&$fi£Ltz\s^k$, 40 

[0 0 2 7] & fz. -7 : — -9 (D y — X £r tE^M^x — y /j^ b 
Sl^feSr dr^-ctSJ: 5, y — x ^ f 27-*— y ^ co 

■&m^&\<^±-u<Dmcw$\-t z> z t i>xzz> 0 

m'&izm Lxmn-tz zk*L,K< xbG-mmmtt^ 
tzfflmv'-x£i>r>zk&'C£z>&o, y—x&mfe-t 

[0028] mmz lx* ?T-#wzmmm.ifc 1 1 4 
fc, r-'-yy— *?y hmm£m§%-rz><nx\ m&&&& so 



WW 2000-1 4892 4 
£o -^^®t^7t^^^fi§AtS#(C^LT^^fSl^$r 

[0029] > *-r-*S£ifiteKj»figi Httit -y 

7>f /<\y — X^f ~ h 1 0 8 ^IIW^^ 

fj-fteK^— ^^<— ^ l 0 6 T&^bcoBE^IS t> *3 ctCK-^rix 

[0 0 3 0] #mWU. ^atyVteXXf^^yj+T? 

-t^y^-y (ram) coj; 5 4> ^^tr^>t r ^.— 

if— rpjtt^-f > K^<7)j: 5 ^-f y "^^y" 
> (d:^ — — K\ -^^^^g, y y >y^o 

-y-ic{^jf^^ r k ^r-# ^8«-e^ J; v„ 
[0031] -fee, n>t c ^.-y-fiy y 

y - 7 3i — * i * a/j*3 j: t> + ^ > k m-r -a <t -Jti^ y 

77^ s/^3.-tWy^-7x-x (GUI) ^-^n. 

e W y * y ^ j; t>' 7 a n y ^ % & 0 r ffl s s - <t //^ 

"C#So >t: 0 ^ — (i^fc, COBOL, C++, F 

[0 0 3 2] ^H^JT'fi. ^l^-f-fy^f^ 

^^f-^fl^li 7 OF^iCH^^jlC^J^^tX^o c 

^ftittKa 1 7 0 li^y y K7>f y, yn^t c — 

y, A-K!>x7K7'f7' l CD-ROM Kv-Yy, ^ 
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n 

kfrX$Z> 0 ±IEco<t*5 9"CfeS^b, r/p^7A^ 

!oo33] ^m^n, *mw(Dmmfrbj&ftii-tz>zt 

f:r:;&:w*i:i^il:, JfoSiMiffiftftoo-RfcS = 
h . J^J SS^e « fliic/) 3fe fiffi ^£r W (c: fig JH Tl' -£> r t WX* 

[0034] l^il-trvu 
m 2 !)x7a^ 1 0 2*5j;l>*7 f — * fa 

-x^-h 1 0 s (Dt&m^v'si'M&j: vmmizfF-tmx 
Atff«si5f> 2 0 6, *s£x$mmffimmft 20s 

tlZo MAfS StSlS^ 2 0 6 iiT"*— ^ £lj 2 2 0, 2 3 2, 
2 4 4, ioJ;(;2 4 6 ^ wnb<7>JlJii^»#CO# 

2 2 0, ft^ij 2 3 2, feF^'J 2 4 4, *3 cfctfmiS 
#^|J2 4 6^£tL6 0 1^2 0 2^^2 0 
4 fc— oJL^JkT)^*- ?fflffim2 1 2 4r£A/T**5!9, Ctl 

iffiT-'-^lc^-TS rfflffl|Sfe^a«J StR^S?*— 
SSLtPS, C r {C^J^L/c^j^0""jT^i, 2 2 2 - 
2 3 0li ^W±CD^ ( [Aj ^/tll [Dj ) 1rt£t> 

7 7 Uy^^t^)77^^ ( [lj *3 J:tJ5 [0j X 

St Sax -c £»#rr5 0 rr^BB^-fsm6C»JT*(i 

z> mm&ftmtR} a> k^is^, (2) a 

I£H S £ f^] 5 t*$g:fc J; X*m At*— * <7><£PJ , ( 3 ) 

E*l;:«fc5<BA^—*cQ^Wk (4) 

^co^l^^?T9 7t^OflgA^--^co^§|. ;fo£^ (5) 

[0 0 3 5] ZCiC0iJ^-r§||J£0ijT-(i, r fcVU K 
^ 3 ^ > X £ P 5 £ Sff COjH^^S ^ p — ^ ^ij^p^ij 

2 1 0(r r 0 j ^ii^&^lcj; fcSSSwf- 
K^—r ^ (c^BB-C* lt^5o t£fi£i!j£a 



/2 



[oo36j -MMMxi$ffi&cotfcm^r'^%mmi-& 

CD (c 7^7=-*-^ (TERADATA) r-^-^flly^f^ 

[0 0 3 7] ^-(C^fi(7)^-^^^LliX^»x^7- 
^ "7"* ^ CO >*J ^ ^>^S( CO N I/ ^ CO fa — ' CO f $ |^ £ j 3£ 
l-t5i <!: kid, — ^ £ ^ <y * it v-x^ ^ i 

/(? 0 0^!^^"^^-^-Vu^^H60IE^co^f§T 'b L < (A 

10 0 3 8] SIC, 7^-^ t^-i^Xir y h^t'f- 
^ ^^^^fc^co—igcoil^R^ L'C S Q UKi£ (SQL qu 
eries) &33f?i~& -7 t il^.^c o r , ^r7f- 
^ -r-'- ^ x If Si ^fi, fiig ^ x /, > % m& 

l-^K^^JSriBtR-rS S Q L 7 ; — ^ f'.-,- 

x (dataview base) ^fiS^SrSc* i£"1% fdi^t'rL 
— (It*— ^Sr fa— ^ Hc^T^^&ffijfcS^ft: 

20 mmt£%:&&b!btz$Z) *i-iStRW(c5l^K< sql 
[0 0 3 9] mHt^Miico!^^7"Vufi-^[^^^/^^ 

[0 0 4 0] ±i t zm^LtzZ k*\$Lm LT, ^giJ^lB^ 
50 Xy ^r-v-g >Sr#J»-rs^fc^®/j:^#|c^9 J; 7 , 

[0041] 7^—^ tr a — 

7"*—^ f a — M 08 tCfl^fcCOT"— ^ f a — 

2 6 0, t'a— (pr ivi I edged view) 2 6 2, 
t°a— (anonumi zing view) 2 6 4, ^t^iifflf^^il 
«tf 3.-2 6 6^s$^ix5o Cixbcof a-^-r-^fTiiJ 
IB^lJ 2 12 i^Wi^tlX^^m^M^^Xm^^: 2 0 2 F^ 
40 <D"r — ^^conj^g (visibility) ^r^Jf5I"r-5 0 

[0 0 4 2] iib'a-2 6 Ofi, ^IJ2 2 4f^£^77 y 

? mAmm&^vtmfemmmttxz &-t£M&-)- 

S) fe5VMi?iJ2 2 6 (flaAffif«>5>E^T-^aE^Lm 
fiA^^^r^L^^o Lfc^oT, tf£pfa — 

[0 0 4 3] y-JtV^^ $ ^^r^N^x (sea lea 

ble data warehouse, SDW) WlSf-^^-^RfSf 
50 (customer database adoministrators) fi, /u— 
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n 

h (routine decision support, DSS) 

[0044] i^^^sDwifi^(^^Lr/M-£L^^L:^^ 
*-)'&iiiEfr : coi-'<TGor;/y ^— >-Ei ^rtco^— 

tfh^m^fccx^—? ^zL — izx QA>z>\,^b &ti 

&fft£M^^A£;ft& 0 

[0 0 4 5] #itV-2 6 2f3\ r-^^^^fl 
Taj co) T^y yno Bl£*tLT<0-^ *5 

n T ft ^ f £ M CO £ flw [z X 5 T $ i? * £* B£ lb -t 6 tz £> , 
[0 0 4 6] foZ>m<DSDW7y\) tr— is a > ( T^^ 

T-?\z.mVT&M-t^btfx% £ 0 t<oJ:9^77'^ 

bm$tiz>) x.>b*^—f—t>mwi'tz>zb&xzz 0 

h ^^Tfo6v^f^I^BS^t> L< liOLAPy-^ 
(fot, _hfE0V^ — ^^rlg^-r^ J: 9 fc^v K^- — ¥ 
-XfoZ> 0 f^^v K^.-¥-(i%tBy-^ (data mi n 
ing tools) (jMt^;d:^t^^ 0 Z<oy— ^Xit 



(8) 2 0 0 0 - 1 4 8 9 2 4 

J^ftWt L< (iffiltrt^ST^^y (machine tearni 
ng algorithms) fr%$&T1-\) x b b ^{z — v& ft 

[0047] mhm®)tem&mihi'z>tzfr, nmry'v 
Jr—i/a >itmm^m^i~^x<Dmm<^mA\fm^7^y 

-fex L&ftjfxtffck^,, £.3S£ 3 zi & in A co v " v Y '< 

ztzib, Vfwi<7> rm.%it} f-^^-^jn^ 

[0 0 4 8] m&itVx.*-2 6 4 (i<BAW«OBBK*iJ; 

l^^i-SWa^fflA^—^^IIB^ff^il-s^^ y ^) 

^jitR$nr^^^f5s<9 , mmmm.m*2 o 4 

fct-K^7 L ^77 P y>r->'3yi 1 2C()4x.^C 

[0049] m<D? 7 xcoi&mrzfv tr~i/a > ( 

^^Cj ) frtt&S?Kffit^A!i« (action) *rfr 5 fcfctc: 
fHAWWSrffiffli-ST^y -ir— i>3 /zdr^^-^r 

jo yr^y r~>a ^te&m&izMLx&jEztitz mm 

rsgffll»*H»Rj (indicator) ^ ^oih-<Tcofs 
H^fSffiicT ^ir^f^o LfJ5oT, m — trr 

[oo5o] ra^^aRj jested-* t* 

5) ^ ^7-f7yh^^^-7x^X^ya^7H 2 

[0051] {mmmmiR) mm&* u- 
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[0 0 5 2] igfflK^iStRfc^*-2 6 6[j:Mi7yy^ 
— >ei>i l ODiaoTSWI^ (automated decisi 

ons) zftotzMzmnzmm-thz tm$ ^-rz> B % 

2 8l*|C07 7 s/^tdct !9»JfflI*n5o 3*J2 2 8 
[0 0 5 3] (v-^r^y^?^^!^^ Lt) 

^ — *5<ttK^7^B ( tfg.£} ) o ^ t^r^^r^^it 

rt 5 Ir) £ -c £ 5 TgiST* g ^<7)fflAr- ^ * 5 ^ <t 
[0 0 5 4 ] igffljg«t L< (±igffl|»^iSW^i-5fc«) 

iit^b l< trmm^mmtR&mmxz z> 0 mx.t*, it- 

[0 0 5 5 ] iaffljStR/iBffl^jStRfi#jKa:^)$ bid 
.^llft:/ n ^ sis&Xlfm^tfWf htiZ> «fc 9(d£ b 

n S' J (B U * $g&$ oo <g A x - * (f#j x. (i* A n J& &H£ W 
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[0056] ia 3 1*3 b{zmt>< ftmistitimmmiRfr 
£Tsmm&ftmiK&m£tzi%&y s ~# t^r^v* i o 
/o 20, j3"jwtta^-x^sr^i- 0 z<7>mMmx*in s 

&fiAn*ef+>iif) ^jSUfltwjgfflStt, fe-StMifiAr-' 

5o iff t>* K • ;/3-yX{j;^<o^(7) 

|SS(i^lJ3 0 2-3 1 OCOfSAiWI^ L-Cil^J/^l^-ttcO 
7 7 y J/* A* 1 5 r 1 1: J: 9 SRt 6 I <!: ^ "C^ 5« 

20 mmcL>xi/B — >x&<D%ffi<D&m&&x$$Ltite&m 

3 12-3 2 OSrffifflfSr ir^^#6 0 3 1 2 - 3 2 
OCjISSnfe^U?/ U>^(i, ^"IJ3 0 2-3 1 0C 

#35 Ml***:, ^C«I^7u7rU7 
^CS^^t, w\^<D^^uy T \y^^m (secure 
preference paradigm) ^M^^IW/^77 i^vx 
(mu 1 1 i p t e f i ne-gra i n preferences) ^fe^I-^ & z b 

[ 0 0 5 7 ] «lJ(75^jffiOTT*(i-r — ^Bff-^^KfflTT^Z ^ 
t-ctoT, Mf-^^^ 1 0 6ioJ;{/f-^ ta- 
*>f— bl 0 8^mfct-#m^)^^^^J:t/^^^^'> 

7^/<'>-7 p U7r L-^^^HtT-T^ r £^-C#6J; 
t c ^ 6 ^ 6 w |® JB W u ^</u T--7- — ^ liff ' / f • <j ^ «t L 

[0058] -mmmxi$^^itimte{zm<Dm7£7 4 

-T S @ «j * if xo e * CO * * ( d @ ^ ^ - <t n r f g ( l i - ^> 

f - ^ B^tfbi ^ ft 6 7 7 y^r - y 3 y t) L < 
JO ii^— ^W*#i-WLT(i«ffiWlw#7c(^p^i£rS:itA 
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[0 0 5 9] X — 9 t'zr—(D^^< U—iy 3 > 

-*£fc*;*-if:/-fc:s> htc^T*»5«)SBftlc«±fls:Sr^ 
[0 0 6 0] ^-^^-xBrr^-r^^^B B B ON 

LINE, TRUSTE, PR I CE-WATERHO 
USE, TRW, DMA^^i^iCPA WEBTRU 
ST, foZ\,^$NCR<D£?tem&<D&&V-'\?xte s 

-^WESL (review) 5 r t #"C*£ S 0 rttb^ 

[0 0 6 1 ] l^^-^^^-Vuco^tiiLXfi, * 
~— «ig£ffl*L, (SAW ®— <OT^ir^^$iJ[31LT 

[0 0 6 2] m^wr/y ^r— ->3 ^<so^ii:L*5j;t>* 

^ — if— (DJligLte, 7^!l^>ay, ^ — if— , is 
— If— ^ riAf-^j -r — ^ b'a— ^7 ^ir* 

v/^l— if— ^ tm&iti f-^t"a-^co7n^i 

if— # Tig^^ii^j t'rx — ^tOT^ir^ti^ 

[ 0 0 6 3] T7f-^7^-t^u^^^ 

[ 0 0 6 4 ] 4 (ittP^ffltfc^)7 P 7'f^v'- £ 
f^^te^fx — ^^<— ^ i o 6 F*W-r — ^ s^CDT $ ir ^ 

o X aii-r — ^ -<— ^Srtco-r— ^ ^<DT? ir ^ £ffjiJfi=|J 
t5o ^RU hi^xr- ^xtcg^i^T-r — 



( 10 ) 4*BH 2000-1 48 9 2 4 

St-'-* fa-^ot. teSr-^^-^i 0 6<D& 

7 *-trx (T^-fer^^^/S^-e^S <t £tt-e 
^^^tl/-; 7~*izx) ^7^t^p / (access log) 
4 0 2 (Cie^£*x6 0 7^^0^4 0 2(1, T ? i? x 

^^hOr^-^h (SQL) , Tf-t^coffifg^ V'yiL 

(o^^u, fo^t^^-^i o 6 fato^— 

20 a*T*#5j&>£>T-fc5 0 

[ 0 0 6 5] /7^/<y- E^^e 1 1 8 

«*f^tT9^«)T*feSo ^7^/vy-K^y^-yb l 
1 sny f, y4y<i^—icm-t^-t^X(D^^.> b (even 
t) fciilWL, flSA-r — ?^<DT?±*{zmi-&'&m$: 

777^^it5 0 y7^f^y-f7hX^"F4U4 

firti^r, i$^7>r^>-7 p i/77 i^>^^iffl$n 

T l> 5 /!>^?i)>^^^(Zl?ffi-r 6 if — f'x^It £ f z ii->-' 

[0 0 6 6] — fcfx 

^ ^-r — ^if — tf ^JiT^^^ s<is— * py— is y. 
(privacy metadata subsystem, PMDS) &MMht 1 
40 14£^tr 0 PMDSte^fgi l 4l^i^7>- 

nfc^^^-^-tai, (i) v^^^^^mffifes-r^ 

t J ^--*5J:t>^^ D^r^tr) co^- ^fg^-fb, (2) 

a-^-fb, (3) ^>^-7^{c^t LT y — ^ <^r /^o/i^^-i- 

> htO'r — f'&'Zjrit. (4) yXfA|;i:ot^ 
h<b<fofcrt»|53iu> > yoi^—ffa^r^ (5) 
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-'sU'sit, (6) i-^tco^-— !f— , V^—Ste^X! 
^mo^/a 7 7 ' (7) t*— ^T^-ferx/JE&K 

[ 0 0 6 7 ] PMDSWIl 1 4 (!£*:, 

/ftVr) cofcKf1 ; (manipulations) K|*hJ->5 -f h co /o 
*i <t f ifW <o IM-J- & -Y > h cordis <t <Sr feifrt L llfS! 
[0 0 6 8] PMDSM«1 1 Ate'/v-i^ 

^k;u i 4 o e ^■y : y^y<iy-m^i-m^'r^ 0 Z . 
cog u id, i~-<x<Dm& (mm&&tLiz j r— #<d^i 

tfo lf:GUl 4 0 6(1 ^7>f/<'>-«jSt^GUI 

I* (parameter-driven means) ^r^#^-^^ 0 ^fcGU I 
4 0 6(1, ^SRg2#a*ysRiM' h^T^-f ^v— {£ff 

[0 0 6 9] PMDSMIl 1 4(13;^ #^£?T 
ctt>*PMD S n y<Dfam&f&VfLX77'(s<is*-mM<D 30 

t£M\zmi,xm j &&n? i><Dx&z> Q -?7-<'<*/—w& 
— * h t< i^m^titzm^^^Lx^m-tz k&x*% 

[0 0 7 0] ^fcPMDSMill 1 4(1, *B##tf> 

■9-/^— Ft^fcMGU 177°!) -7-— v-3 ^y^.—y^^ 

] J 7- J £S'Ji£*§Wrr3 0 SfcPMDSffiS«igi 14 40 

(±, Mig^^^^ b(^BBi-5^ 6(Cf¥«B* 

[ 0 0 7 1 ] 

r-fes^ii:: (c E<fc-r £ 7-*— ^ t* a. — <t jfi^ 
>^-7^"^(-^^^tL7"c^Jiii) ^itf-^ 

comm 1 7 s — # ^cot &^m-r z>zt^x$z> 0 
r-*— $7 n 7 ^ <><••>— * — *iiffl"t- ^<< -^^ o ^ 



1 1#BH 2000-148 9 24 

p II^RscOt*- * 7 ^ 1r * £tr ■? <!: ^ (^^co^ & f I 

&xf&\^<D7?±x&mf®ir&mmt*=L~&mLxmm 

[0 0 7 2 ] v-'-^m^ 
t*— ^S^ft 4 0 8 (1, ^^T-^rtco-ih^TO-S, 7*—^ 

[0 0 7 3 ] ^"nir^ 

7^— Kl 3 8 fe^i/Ml^-^— h*- K 1 3 6 O J; o ftffi 

l,Xftt>tl%4 >$—*-y V 1 2 6 , mtS-13 2, fo^> 
l/Ml^r^-X^ & L< (1ATM 1 3 4 g&T-jififci-S * <t 
rttd^o s/^ 5 0 2 ^fiSj7fxLTfo5o 

fiA'tf«^J:^±^Lfcm^#^^v>t'^->"^u-7r 
4) 0 ?H##(l*^T*S3S:$ixfc1f*^A^i-5o ftic 

[0074] 0 6HJB**i^i^-t-s^*ia=fir^u^^^ 
^ ^ ^ r ^ ^> ^ (^fe^-r s tz ib ntf-r s u - 

[0 0 7 5] ^iC, 7 f o^^ 6 0 4^1t/6 0 5C^t 
[0 0 7 6] 13 7(1, Zf y tl— K/0^<— =i— K 

7 0 2*3^^7 0 4 ll«/TLTfc5 0 ZCOftfrfj 
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[ 0 0 7 7 ] 18(^7^^-/-^- K£r(gffl-t-£j8l& 
K^l 7 Jo ^K'^-{;J:J|k^|^rcT'r^ k, zfo-y? 80 4 

[0078] m9nmnt%-<Dy f, 7js<^- 
ir^fT^ns^u— ^jSr^i-ajnia-efoSo ft 

iitP^.7 p 7'i'/v>-7 0 !/7r i/y^^S, * 

[0079] Jiteco^^u-— ^-cas^fcJ; gg 
Sti'J^IS^tf) JSIS:^ fe ^ a TM^O a ftiJ-— fcr*5£ 
*jr*tm.l 3 4t7 p 7'f/<^-Kaflt^fi 

[0080] 1 3 4 iWIS-rsr ttcj:^, *B 

MtS^t^^o gfc»^co 

WVMft;i£<!:, y^-T 77— K(i, i/^ft^— ^ 



22 

ttn^<ce><c^ 0 igrffe^s<tLr, -f^^^^-ir—v 

S # ^ SB ft a T- & to -c , m # # { ;t /1 /-f - - o 

[0081] ±m<oz k^b, ^m^^mmco-m^^ 

[0 0 8 2] ±f5cDV^7"^(j;. 'hTtWk^mn^cny" 

[0 0 8 3] — SejftefiW-Ctt. ^7^^->- Krj; 
(-sS:A«co&«, sfcSfficofi-Kiafig, *3j;t>*i!cSScoy 
y h ^*r*<i^.3t^^— h77- KffcSo -7=7>(s<i/ 
-77- K^, /J^^3R#Oflg5S^ (POS) xt — is a > 
izhZx-?- Ky — ?-{zmMLfz.k$iZ, -A 

co^^i^S^-60I^^—^r^5fpl^#^ (id numbe 
30 r) ^^^-f^) 0 m(i#/J^f9«ggr<lr(cS^-5^, 

<Dl£MmX— RLfetcO"Cfe5 0 y° "7 -f ^ < — 77 — K 
^t-ffiALfc^^^, ^»#^/J>7ca#t77^^^>^ h 

^-^7Ki/7>, SfSS-^ioi:^^^ -/U7 H>7(; 

S KSa* fo 6 <e ^> , 'hmm^teyy 4 y< v—f^fl-y— f 
^IS^^Ltf coSSSt-r — ^ Id T $ ir x ^ £ - i: /j^ 'e 

[0 0 8 4] /J^a6#^»fiE, iBHiSfo-w^fi^-^— /u 

'hjcSltliayfa-^/p h =3 /ug t±i r* ^ ^' y 1 7 4 '< 

50 iy-m^-^^mmizmmL^ii^^ibf^^. -s^ 
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U fltfS grafts feSl/Ml^-^v'JE&S'SjilfSo 
[ 0 0 8 5] S'JcoH£S#iJ 

y-^-x^y) 7 o 8 t% rttfiE^co^"-^ (j^t 
-7 — ? f c I iiLi -5 ( -t ix r ^ s gg * 4- ft m i - s 0 ^ ~ co 7-' 

— y- ^ lififtv*— ? x (trusteddatabase) l 

— x i o o 4rticsij<Bfr»#ft$ttSo :©7"^ 

x i o o 8 l:M$nTP6r-^C, tttfoit 
So >l<Off y^— yMl£fcflI* A^/7^f^y- 

[0 0 8 6] y* ^ r > hco^^fi^ y^Tls Mc % g 
gg#*— K 1 3 8 £fctex-^ — — K 1 3 6 &9&ff-f 

L< fi-t^teco^StciJ: v -f *y h 1 2 6 

[0 0 8 7] H^f^ f-^/7-f^>-yk77 

9(C«t *)Wa£ti* ^m^ti- Kl 3 8, h^7 — 

(intelligent software agent) fr7*—#mmmife$:M 
ftLxm'g<Ds<#<-^&m&\^ «tBS*fci^^T7* ^ 
- y- v ^ ^ ^ - * oo£^ &* ft-:/iJti- S„ 

[ 0 0 8 8] «b 9— OCOHft^'JT^l, ^II/^SSt" 
"7 Y /<y—>x-r J*{zte\,*x%m<nim€ J r--#'<— x i 
0 0 4^J;Ol|^f-^-<-7. 1 0 0 8 Mfflt^o r 

co x ^ a xitmte s k j: 3 ^ -r /< «a 

dig-^U ^6i/^cO/J^t) T </ h Uy MdiS/EU £ 

* f*53U (0 co t-*- * * rt*«U^& t> iSixho 
[0 0 8 9] m \ lli/7Y^y-f-^r) x 7^^^ 5Q 
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y* tf'^. — IT, $>S^^i-^^ d^y - h 1 1 l f**cD 

5 o, t^^T^y^^v- 

1 4 , *3«ttJ«S£fi^ >-^ — -7 — XI 1 8 ^g-^^^-f 
✓ — d^-t^ — tT^-Y ^-7x-X8 0 2^, 

r-^^-7,fly^f^l 0 4 ^CO±T ^irx^j^fr. 

^-fy>?-7x-7>i 2 0 211 f-^^7fly^ 
7^-A 1 0 4, 7^—^ If a — X-T— h 1 0 8^60^— ^ 
^l — , n^^f-hl 1 1 f*)C0-^y- n ^c/3^J-^ 

b&X*$Z 0 

[0 0 9 0] mi 2 te^v-t s<i/— * fx 
aiffi'T — — x^TT^t-^^— ^ b'^ — coH^^'J 
^•^"flUr-fcSo f-^^<-^Sly^fA 1 0 4 (OI 
x^p^co^— # co ^TffittjB J: l>^ - ^ — co T ^ ir 
Xfi^-^ h^-^J;r>^^ di l ua o^-^^n 

60T^irx^^-^/^^ {lI ^x.^ o 

h 1 2 0 2^-^^— b L, *tlb<Dm, 7'— 
htty^y-f^y- T > M 2 0 4 7)^,i< — 

1 1 0AiJSfa-2 6 O^IT, •StzMffiTzfy 
sr—^>3 > 1 1 OCim ta-^LT, ^^-<-x 
^Ty-1?xt-£ 0 /cfc Lr.60^, ^^CO#^;^|5]^ 

^y^-f >y" T^y ^— is * » 1 1 0 Dlil^T- ^ 

L, -9— V't—Tj'&mT^}) tr-i/B > (third part 
y disclosure applications) l l 2 t-ff fft^ix&T^— 

fpj ae*7- — ^ ^-co r ^ -tr x « rp Tij l ^ t \ mm wrwmtK t- 

So 

[02] 7"7^^/-Wl^J;(;f"^-xt' 
a — rttCftjW^nfciP^ScQfflfjgfJiJ^^i-yn y y[lj-e 
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[EJ4 ] ^flFlWWT^^/^^^y-^l^L 

[1*17] Rfr#4Mr;jAL^-&^^^^ 

— o go 3E- Jfe ftij £r ?f< i-«£ *x El r* *> £ „ 
[El 8 J Slt^- Kt^l^ff ^i:fMt6^u 

[1*1 i o] ^;^ilJ;S^nfcm 167— x^iiffixTty' 
[Ell 1] ^T-'-^T^ir^^^JlLD^jESSrSts/c 



, 10 
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[Hi 2] -f^-i^is— * 9<t — W— t^K^f ^9 
— 7 a — x £ J ip A $ ti tz f — 9 f ^ — ^ f?2 K{ f 0J & -7< ij - 1 * | 

10 0 5*—* ^Z^Xftv-^^jU 

10 2 f^^x — ^ f> ^T^-^y, (secure data wa 

rehouse) 

104 ^S1^7A (database man 

agement system) 
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1 Title of Invention 

PRIVACY-ENABLED LOYALTY CARD SYSTEM AND METHOD 

2 Claims 

1. A method of controlling the collection and dissemination of data stored in a 
data warehouse, characterized by the steps of: 

accepting a request for a privacy card from a consumer; 

querying the consumer for consumer personal information and privacy preferences; 
storing a customer unique proxy identifying trie customer in the data warehouse; 

and 

issuing a privacy card comprising the proxy to the customer. 

2. The method of claim 1, wherein the step of storing a customer unique proxy 
in the data warehouse comprises the steps of: 

generating the proxy; 

storing the customer unique proxy in the data warehouse; and 
storing the proxy in the privacy card. 

3. The method of claim 2, wherein the privacy card is a smart card. 

4. The- method of claim 1, wherein the step of storing a customer unique proxy 
in the data warehouse comprises the steps of 

reading the proxy from the privacy card; and 
storing the proxy in the data warehouse. 

5. The method of claim 1, further comprising the steps of: 

receiving a request for a commercial transaction from the consumer, the request 
comprising the proxy; 

associating data, about the commercial transaction with the proxy; and 
storing the associated commercial transaction data in the data warehouse. 



6. The method of claim ], further comprising the steps of: 
accepting a request from the consumer to manage the privacy preferences in the 
data warehouse; and 
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verifying the identity of the consumer; and 

managing the privacy preferences stored in the data warehouse in accordance with a 
consumer privacy preference management command. 

7. The method of claim I, wherein the proxy is stored in the data warehouse 
secure from the consumer personal information. 

8. The method of claim 1, wherein a customer unique identification code for is 
generated and stored for each of a plurality of retailers. 

9. An apparatus for controlling the collection and dissemination of data stored 
in a data warehouse, characterized by : 

means for accepting a request for a privacy card from a consumer, 

means for querying the consumer for consumer personal information and privacy 
preferences; 

means for storing a customer unique proxy identifying the customer in the data 
warehouse; and 

means forissuing a privacy card comprising the proxy to the customer. 

10. The apparatus of claim 9, wherein the means for storing a customer unique 
proxy in the data warehouse comprises: 

means for generating the proxy; 

means for storing the customer unique proxy in the data warehouse; and 
means for storing the proxy in the privacy card. 



11 



The apparatus of claim 10, wherein the privacy card is a smart card. 



1 2. The apparatus of claim 9, wherein the means for storing a customer unique 
proxy in the data warehouse comprises: 

means for reading the proxy from the privacy card; and 
means for storing the proxy in the data warehouse. 
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13. The apparatus of claim 9, farther comprising: 

means for receiving a request for a commercial transaction from the consumer, the 
request comprising the proxy; 

means for associating data about the commercial transaction with the proxy; and 
means for storing the associated commercial transaction data in the data warehouse. 

14. The apparatus of claim 9, further comprising: 

means for accepting a request from the consumer to manage the privacy preferences 
in the data warehouse; and 

means for verifying the identity of the consumer; and 

means for managing the privacy preferences stored in the data warehouse in 
accordance with a consumer privacy preference management command. 

15. The apparatus of claim 9, wherein the proxy is stored in the data warehouse 
secure from the consumer personal information. 

16. The apparatus of claim 9, wherein a customer unique identification code for 
is generated and stored for each of a plurality of retailers. 

17. A program storage device, readable by a computer, embodying one or more 
instructions executable by the computer to perform method steps for controlling the 
collection and dissemination of data stored in a data warehouse, the method steps 
characterized by the steps of: 

accepting a request for a privacy card from a consumer, 

querying the consumer for consumer personal information and privacy preferences; 
storing a customer unique proxy identifying the customer in the data warehouse; 

and 

issuing a privacy card comprising the proxy to the customer. 
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18. The program storage device of claim 17, wherein the method step of storing 
a customer unique proxy in the data warehouse comprises the method steps of: 

generating the proxy; 

storing the customer unique proxy in the data warehouse; and 
storing the proxy in the privacy card. 

19. The program storage of claim 18, wherein the privacy card is a smart card. 

20. The program storage device of claim 17, wherein the method step of storing 
a customer unique proxy in the data warehouse comprises the method steps of: 

reading the proxy from the privacy card; and 
storing the proxy in the data warehouse. 

21. The program storage device of claim 1 7, wherein the method steps further 
comprise the method steps of: 

receiving a request for a commercial transaction from the consumer, the request 
comprising the proxy; 

associating data about the commercial transaction with the proxy; and 
storing the associated commercial transaction data in the data warehouse. 

22. The program storage device of claim 1 7, wherein the method steps further 
comprising the method steps of; 

accepting a request from the consumer to manage the privacy preferences in the 
data warehouse; and 

verifying the identity of the consumer; and 

managing the privacy preferences stored in the data warehouse in accordance with a 
consumer privacy preference management command. 
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23. The program storage device of claim 17, wherein the proxy is stored in the 
data warehouse secure from the consumer personal information. 

24. The program storage device of claim 17, wherein a customer unique 
identification code for is generated and stored for each of a plurality of retailers. 
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3 Detailed Description of Invention 

The present invention relates to systems and methods of data warehousing and 
analysis, and in particular to a system and method for enforcing privacy constraints on a 
database management system. 

Database management systems are used to collect, store, disseminate, and analyze 
data. These large-scale integrated database management systems provide an efficient, 
consistent, and secure data warehousing capability for storing, retrieving, and analyzing 
vast amounts of data. This ability to collect, analyze, and manage massive amounts of 
information has become a virtual necessity in business today. 

The information stored by these data warehouses can come from a variety of 
sources. One important data warehousing application involves the collection and analysis 
of information collected in the course of commercial transactions between businesses and 
consumers. For example, when an individual uses a credit card to purchase an item at a 
retail store, the identity of the customer, the item purchased, the purchase amount and 
other related information are collected. Traditionally, this information is used by the 
retailer to determine if the transaction should be completed, and to control product 
inventory. Such data can also be used to determine temporal and geographical purchasing 
trends. 

Similar uses of personal data occur in other industries. For example, in banking, th 
buying patterns of consumers can be divined by analyzing their credit card transaction 
profile or their checking/savings account activity, and consumers with certain profiles can 
be identified as potential customers for new services, such as mortgages or individual 
retirement accounts. Further, in the telecommunications industry, consumer telephone 
calling patterns can be analyzed from call-detail records, and individuals with certain 
profiles can be identified for selling additional services, such as a second phone line or call 
waiting. 

Additionally, data warehouse owners typically purchase data from third parties, to 
enrich transactional data. This enrichment process adds demographic data such as 
household membership, income, employer, and other personal data. 
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The data collected during such transactions is also useful in other applications. For 
example, information regarding a particular transaction can be correlated to personal 
information about the consumer (age, occupation, residential area, income, etc.) to 
generate statistical information. In some cases, this personal information can be broadly 
classified into two groups: information that reveals the identity of the consumer, and 
information that does not. Information that does not reveal the identity of the consumer is 
useful because it can be used to generate information about the purchasing proclivities of 
consumers with similar personal characteristics. Personal information that reveals the 
identity of the consumer can be used for a more focused and personalized marketing 
approach in which the purchasing habits of each individual consumer are analyzed to 
identify candidates for additional or tailored marketing. 

Another example of an increase in the collection of personal data is evidenced by 
the recent proliferation of "membership" or "loyalty" cards. These cards provide the 
consumer with reduced prices for certain products, but each time the consumer uses the 
card with the purchase, information about the consumer's buying habits is collected. The 
same information can be obtained in an on-line environment, or purchases with smart cards, 
telephone cards, and debit or credit cards. 

Unfortunately, while the collection and analysis of such data can be of great public 
benefit, it can also be the subject of considerable abuse. In the case of loyalty programs, 
the potential for such abuse can prevent many otherwise cooperative consumers from 
signing up for membership awards or other programs. It can also discourage the use of 
emerging technology, such as cash cards, and foster continuation of more conservative 
payment methods such as cash and checks. In fact, public concern over privacy is believed 
to be a factor holding back the anticipated explosive growth in web commerce. 

For all of these reasons, as well as regulatory constrains, when personal information 
is stored in data warehouses, it is incumbent on those that control this data to protect the 
data from such abuse. As more and more data is collected in this, the computer age, the 
rights of individuals regarding the use of data pertaining to them have become of greater 
importance. 
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It is an object of the present invention to provide a system and method which 
provides all the advantages of a complete data warehousing system, while addressing the 
privacy concerns of the consumer. 

From a first aspect, the present invention resides in a method of controlling the 
collection and dissemination of data stored in a data warehouse, characterized by the steps 
of: 

accepting a request for a privacy card from a consumer, 

querying the consumer for consumer personal information and privacy preferences; 
storing a customer unique proxy identifying the customer in the data warehouse; 

and 

issuing a privacy card comprising the proxy to the customer. 

From a second aspect, the present invention resides in an apparatus for controlling 
the collection and dissemination of data stored in a data warehouse, characterized by : 

means for accepting a request for a privacy card from a consumer; 

means for querying the consumer for consumer personal information and privacy 
preferences; 

means for storing a customer unique proxy identifying the customer in the data 
warehouse; and 

means for issuing a privacy card comprising the proxy to the customer. 

From a third aspect, the present invention resides in a program storage device, 
readable by a computer, embodying one or more instructions executable by the computer to 
perform method steps for controlling the collection and dissemination of data stored in a 
data warehouse, the method steps characterized by the steps of: 

accepting a request for a privacy card from a consumer, 

querying the consumer for consumer personal information and privacy preferences; 
storing a customer unique proxy identifying the customer in the data warehouse; 

and 

issuing a privacy card comprising the proxy to the customer. 
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One embodiment of the present invention also utilizes a privacy metadata system 
that administers and records all data, users, and usage of data that is registered as 
containing privacy elements.. This metadata service provides for locating, consolidating, 
managing, and navigating warehouse metadata, It also allows for setting aside an area 
from which all system aspects of privacy are registered, administered, and logged in an 
auditable format. 

Embodiments of the present invention will now be described by way of reference 
only to the accompanying drawings. 

Overview 

FIG. 1 is a system block diagram presenting an overview of a data warehousing 
system 100. The system comprises secure data warehouse 102 having a database 
management system 104 storing one or more extended databases 1 06 therein. 

One important capability of a database management system is the ability to define a 
virtual table and save that definition in the database as metadata with a user-defined name. 
The object formed by this operation is known as a View or a database view (the particular 
database views used in the present invention are hereinafter referred to as "data views"). As 
a virtual table, a dataview is not physically materialized anywhere in the database until it is 
needed. All accesses to data, (with the possible exception of data access for administrative 
purposes) is accomplished through dataviews. To implement a variety of privacy rules, a 
suite of a plurality of dataviews is provided. Metadata about the privacy dataviews 
(including the dataview name, names and data types of the dataview columns, and the 
method by which the rows are to be derived) is stored persistently in the databases 
metadata, but the actual data presented by the view is not physically stored anywhere in 
association with the derived table. Instead, the data itself is stored in a persistent base 
table, and the view's rows are derived from that base table. Although the dataview is a 
virtual table, operations can be performed against dataviews just as they can be performed 
against the base tables. 

The secure data, warehouse 102 further comprises a suite of privacy metadata 
dataviews 108 through which all data in the extended database 106 are presented. Data 
within the extended database 106 can be viewed, processed, or altered only through the 
dataviews in this suite. The schema and logical model of the extended database and 
dataviews is set forth more fully herein with respect to FIG. 2. 

Virtually all access to the data stored in the extended database 106 is provided 
solely through the dataview suite 108. Thus, business applications 1 10 and third party 
applications 1 12 have access only to such data as permitted by the database view provided. 
In one embodiment, provision is made to permh override of the customer's privacy 
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preferences. However, in such circumstances, data describing the nature of the override is 
written to the database for retrieval by the audit module 1 18, so that the override cannot 
occur surreptitiously. Further, overrides may be monitored by the privacy metadata 
monitoring extensions 1 14 to provide an alert to the consumer when such overrides occur. 

The limiting access to the data stored in the extended database 106 to access 
provided by the privacy dataview suite 108 for purposes of (1) implementing privacy rules 
provides the capability to make the personal data anonymous (through the anonymizing 
view described herein), (2) to restrict access to opted-out columns, which can apply to aJl 
personal data, separate categories of personal data, or individual data columns, and (3) to 
exclude entire rows (customer records) for opt-out purposes based on customer opt-outs 
(excluding a row if any of the applicable opt-out flags has been set for the customer in 
question, thus preventing any direct marketing or disclosure to third parties). 

Using a client interface module 122 that communicates with the dataviews 108 a 
client 124 can access, control, and manage the data collected from the client 124. This data 
control and management can be accomplished using a wide variety of communication 
media 140, including the Internet 126 (via a suitable browser plug-in 128. a modem 130, 
voice telephone communications 132, or a kiosk 134 or other device at the point of sale. 
To facilitate such communications, the kiosk or other device at the point of sale, can issue a 
smartcard 136 or a loyalty card 138. The kiosk/pos device 134 can accept consumer input 
regarding privacy preferences, and issue a smartcard 136 or loyalty card 138 storing 
information regarding these preferences. Similarly, the using the kiosk/pos device 134 and 
the smartcard 136 or loyalty card 138, the consumer may update or change preferences as 
desired. In cases where the loyalty card 1 38 is a simple read only device (such as a bar- 
coded attachment to a key ring), the kiosk/pos device 134 can issue replacement cards 
with the updated information as necessary. Transactions using the loyalty card 138 or 
smartcard 136 are selectably encrypted and anonymous. Either card may interact directly 
with the server or through a plug-in to implement the security rules selected. 

Through this interface, the consumer can specify data sharing and retention 
preferences. These preferences include data retention preferences, and data sharing 
preferences. These allow the consumer to specify when and under what circumstances 
personal information may be retained or shared with or sold to others. For example, the 
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consumer may permit such data retention as a part of a loyalty card program, or if the use 
of the data is limited to particular uses. Further, the consumer may specify under what 
circumstances the data may be sold outright, used for statistical analysis purposes, or used 
for third party elective marketing programs. 

The data warehousing system 100 also permits anonymous communication between 
the client and the secure data warehouse 102 via a privacy service 150. When die user 
desires an anonymous transaction, the transaction is routed to the privacy service 150. The 
privacy service 150 accesses a privacy rule database 152 and other security information 154 
and uses the privacy rule and security information to remove all information from which the 
identity of the consumer can be determined. The cleansed transaction information is then 
forwarded to the anonymity protection interface module 160 in the secure data warehouse. 
Communications with the secure data warehouse 102 use a proxy user identification, which 
is created by the privacy service 150 from the customer's username or other identifying 
information. If the customer does not require an anonymous transaction, the transaction is 
provided directly to the retailer who may store the transaction information in the extended 
database. 

Since it alone provides access to data within the extended database, the dataview 
suite 1 08 also provides a convenient and comprehensive means for auditing the security of 
the secure data warehouse 102. 

The secure data warehouse 102 also comprises metadata monitoring extension 114. 
This extension 1 14 allows the customer to generate a rule to monitor the use of personal 
data, and to transmit an alert 1 16 or callback if a metadata definition change occurs. The 
consumer can control the metadata monitoring extension 1 14 to trigger an alert when the 
customer's personal information is read from the extended database 106, is written to the 
extended database 106, if the opt-out delimiters stored in the extended database are 
changed, or when a table.or a dataview is accessed. Alternatively, triggered alerts can be 
logged for later access by the consumer. 

The metadata monitoring extension 1 14 also records data source information, so 
customers can determine the source of the data stored in the secure data warehouse 102. 
The data source may be the customer, or may be a third party intermediary source. This 
feature is particularly useful when the consumer would like to not only correct erroneous 
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information, but to determine the source of the erroneous information so the error will not 
be replicated in the same database or elsewhere. 

Source data may also be stored in the data table for each column or set of columns 
so that the source of the data can be ascertained directly from table data. In this 
embodiment, the source identification is generalized so that each customer can have a 
different source of information without the need to replicate information source 
information in the metadata for all customers. 

Similarly, the metadata monitoring extension 1 14 also records data target 
information, so that customers can determine who has been a recipient of their personal 
information. This feature is also useful for correcting replicated errors, as well as for 
monitoring disclosure activity relative to a consumer's personal information. 

The metadata monitoring extension 1 14 can also be used to support auditing 
functions by tracking reads or writes from the extended database 106 as well as the changes 
to the dataview suite 108. 

The present invention can be implemented in a computer comprising a processor 
and a memory, such as a random access memory (RAM). Such computer is typically 
operatively coupled to a display, which presents images such as windows to the user on a 
graphical user interface. The computer may be coupled to other devices, such as a 
keyboard, a mouse device, a printer, etc. Of course, those skilled in the art will recognize 
that any combination of the above components, or any number of different components, 
peripherals, and other devices, may be used with the computer. 

Generally, the computer operates under control of an operating system stored in the 
memory, and interfaces with the user to accept inputs and commands and to present results 
through a graphical user interface (GUI) module. Although the GUI module is typically a 
separate module, the instructions performing the GUI functions can be resident or 
distributed in the operating system, an application program, or implemented with special 
purpose memory and processors. The computer may also implement a compiler that allows 
an application program written in a programming language such as COBOL, C++, 
FORTRAN, or other language to be translated into processor-readable code. After 
completion, the application accesses and manipulates data stored in the memory of the 
computer using the relationships and logic that was generated using the compiler. 
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In one embodiment, instructions implementing the operating system, the computer 
program, and the compiler are tangibly embodied in a computer-readable medium, e.g., 
data storage device 170, which could include one or more fixed or removable data storage 
devices, such as a zip drive, floppy disc drive, hard drive, CD-ROM drive, tape drive, etc. 
Further, the operating system and the computer program are comprised of instructions 
which, when read and executed by the computer, causes the computer to perform the steps 
necessary to implement and/or use the present invention. Computer program and/or 
operating instructions may also be tangibly embodied in memory and/or data 
communications devices, thereby making a computer program product or article of 
manufacture according to the invention. As such, the terms "program storage device," 
"article of manufacture" and "computer program product" as used herein are intended to 
encompass a computer program accessible from any computer readable device or media. 

Those skilled in the art will recognize many modifications may be made to this 
configuration without departing from the scope of the present invention. For example, 
those skilled in the art will recognize that any combination of the above components, or any 
number of different components, peripherals, and other devices, may be used with the 
present invention. , 

Logical Mo del 

FIG. 2 is a diagram showing an exemplary logical model of the secure data 
warehouse 102 and the dataview suite 108 in greater detail. The extended database 106 
comprises a customer table 202, which is segmented into three portions: an identity 
information portion 204, a personal information portion 206, and a sensitive information 
portion 208. The identity information portion 206 comprises data columns 220, 232, 244, 
and 246, which store information that reveals the identity of the consumer. These columns 
include a consumer account number column 220, name column 232, an address column 
244, and a telephone number column 246. The identity portion 204 of the customer table 
202 also comprises one or more data control columns 212, which specify data reflecting the 
privacy preferences, or "opt-outs" for the accompanying data. In the illustrated 
embodiment, columns 222-230 stores one or more characters ("A" or "D") or flags 
(represented by "Is" and "0s") which specify privacy preferences for the consumer's data 
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records. In the disclosed embodiment, these privacy preferences include "opt-outs" for (1) 
direct marketing, (2) disclosure of personal data along with information identifying the 
consumer, (3) anonymous disclosure of personal data, (4) disclosure of personal data for 
purposes of making automated decisions, and (5) disclosure or use of sensitive data. The 
customer table 202 also comprises a global data control column 210. This column can be 
used to indicate that the consumer wants maximum privacy^ 

In the exemplary embodiment illustrated, a consumer named Bill K. Jones has 
permitted some data collection, analysis, or dissemination by selecting a "0" in the global 
data control column 210. He has further indicated that his consumer information can be 
used in direct marketing and can be disclosed to third parties, both with his identity, and 
anonymously. He has allowed the data to be used to perform automated processing, and 
will permit the dissemination of sensitive data. 

In one embodiment, a TERADATA database management system is utilized to 
implement the foregoing logical model. This implementation has several advantages. 

First, TERADATA' s ability to store and handle large amounts of data eases the 
construction of the many different views and allows the secure data warehousing system 
100 to utilize a logical data model in or close to the third normal form. 

Second, unlike systems which execute SQL queries as a series of selections to 
narrow the data down to the dataview subset, the TERADATA database management 
system rewrites dataview-based queries to generate the SQL that selects the necessary 
columns directly from the appropriate base tables. While other views materialize entire 
tables before narrowing down the data to the view subset, TERADATA generates SQL 
that selectively pulls appropriate columns and rows into the result table. This method is a 
particularly advantageous in implementing the foregoing logical model. 

Third, the foregoing logical model generally results in dataviews, which include 
complex queries and wide SQL expressions. The TERADATA database management 
system is particularly effective at optimizing such queries and SQL expressions. 

Using the foregoing teaching, alternative logical models having alternatively defined 
data control column structures can be implemented to meet the particular privacy 
granularity and control needs of each database application. 
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Dataviews 

A number of dataviews are provided in the dataview suite 108. These dataviews 
include a standard view 260, a privileged view 262, an anonymizing view 264, and an opt- 
out view 266. These views limit visibility into the data in the customer table 202 in 
accordance with the values placed in the data control columns 212. 

The standard view 260 will not present personal data unless either tra flag in 
column 224 (indicating that the personal information and identifying information can be 
disseminated) or 226 (indicating that personal information can only be disseminated 
anonymously) is activated. Hence, the standard view 260 selectively masks personal data 
from view unless the consumer has had the appropriate flags set to the proper value. 

Scaleable data warehouse (SDW) customer database administrators (DBAs) set up 
views into customer tables (any tables containing personal information about their 
customers), such that, for routine users, all columns of personal information are hidden. 
This allows ail routine decision support (DSS) applications and tools with query access to 
the warehoused data to be precluded from viewing personal information and consequently, 
all end-users of these applications and tools are also precluded from viewing personal 
information as well. 

To minimize disruption to existing SDW customers, dataviews are established using 
the same names that are used for base tables in any existing applications that access private 
data, and corresponding base table names can be renamed to some other value. Thus, 
whenever an existing application attempts to access private data (now via a dataview), the 
private data can be screened out by the dataview, depending on user privileges. Using this 
approach, there is no need to modify existing applications. Instead, the logical data model 
and database schema would be modified, and additional naming conventions would be 
introduced. 

The privileged view 262 permits viewing, analysis, and alteration of all information. 
The privileged view 262 will be supplied only to privileged (Class "A" applications HOB, 
such as those required for administration and/or maintenance of the database (e.g. for 
inserting new customers, deleting ex-customers, handling address changes), and to those 
applications which handle privacy related functions (such as informing customers about 
personal information collected about them, changing/updating personal information, and 
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applying "Opt-in/Opt-out M controls). For example, the client interface module 212, which 
is used to view, specify, and change consumer privacy preferences, is a privileged 
application. Appropriate security measures are undertaken to assure that the privileged 
applications are suitably identified as such, and to prevent privileged view 262 access by 
any entity that is not so authorized. 

Certain SDW applications ("Class B") may perform analysis on personal data, in 
order to gain insight into customer behavior, e.g. to identify trends or patterns. Such 
applications may be driven by end-users (knowledge workers or "power analysts") 
performing "ad hoc" queries, typically using either custom-built software or standard query 
or OLAP Tools, where the end-user spots the patterns. They may also involve the use of 
data mining tools, where statistical or machine learning algorithms, in conjunction with the 
analyst, discover patterns and from them build predictive models. 

To derive the greatest value, analytic applications must have access to all available 
forms of personal information. In order to enable such access, while at the same time 
respecting personal privacy requirements, special "anonymizing" dataviews are used. These 
dataviews are designed to provide access to personal data fields, but to screen out all fields 
containing information that can identify the owner of the data (e.g. name, address, phone 
number, social security number, account numbers). 

The anonymizing view 264 permits the viewing and analysis of personal 
information, but screens the information stored in the identity information portion 204 from 
view or analysis unless the flag in the column 224 (permitting disclosure of personal data 
along with information identifying the consumer) is selected. This data can be provided to 
analytic applications 1 IOC, which permit data mining and ad-hoc queries. If the consumer 
permits, this information may also be provided to third party applications 112. 

A further class of privileged applications ("Class C") includes applications that use 
personal information to take some form of action, such as marketing applications (e.g. to 
create mail or phone solicitations). These marketing applications are subject to the "Opt- 
in/Opt-out* controls set for each customer, and access customer information through a 
special dataview that removes or masks all records associated with an activated "Opt-out" 
indicator. Thus, for example, any customer who has opted out from receiving marketing 
solicitations would be omitted from any contact list created by the marketing application. 
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The "Opt out" indicator is a new column added to customer tables, or joined to 
existing customer tables via dataviews (which is an additional change to the logical data 
model). In one embodiment, the value of this column for each customer row is initially be 
set to "Opt Out" (or "Opt in" if permitted by law), and can be modified via the client 
interface module 122, which handles customer requests regarding privacy controls. 

Multiple "Opt Out" indicators may be set up for each customer record. At a 
minimum, five opt-outs are implemented: for "direct marketing", "third-party disclosure of 
identifiable data", "third-party disclosure of anonymous data", automated decisions", and 
"use of sensitive data". However, a scheme of mpre fine-grained opt-outs could be 
designed, based on more detailed customer preferences. For example, "direct marketing" 
could be broken out into separate opt-outs for contact by telephone, direct mail, and 
electronic mail, and a catchall for "other" action. This would yield eight separate opt-outs. 

Opt-out view 266 permits the use of information for purposes of making automated 
decisions with action applications HOD, such as those which implement phone or mail 
solicitation. Views into this information are controlled by the flag in column 228. 
Alternatively, the value stored in column 228 may comprise a character with sufficient 
range to permit the single character to not only define that solicitation is permitted, but to 
indicate what kind and scope of permitted solicitation. 

Applications or queries that disclose personal data to third parties (e.g. for 
marketing or analytic purposes) are subject to both the Class C ("Opt Out") and Class B 
("anonymizing") Views. If the customer has opted out of third-party use of their data, then 
the "Opt Out" dataview applies, and their row (record) is excluded from the output. Other 
customers may have opted in to third-party disclosure of their data provided it is 
anonymous; in these cases, the customer data is made anonymous via the "anonymizing" 
dataview before being output. In all other cases, the customer has opted in to disclosure of 
their personal data in identifiable form; here the personal data is output along with 
identifying data columns. 

A more fine-grained approach to opting in or out may be implemented. Specific 
opt-ins or opt-outs could be agreed with each customer for a variety of permissions and 
protections. For example, disclosure to third parties could be based on specific data fields, 
relating both to personal characteristics and to personal identifications: a customer might 



(40) ftffl 2000-148924 

-Iff- 

agree to their address and interest profile being provided, but not their financial information 
and their phone number. 

Opt-in/opt-out couJd also be further extended to gain a more detailed profile of 
each customer and their interests. For example, each class of opt-out (e.g. the eight opt- 
outs identified in section 4) could be applied separately to each category of personal data 
(e.g. demographic data; preference data), or down to eac h specific data item of personal 
data (e.g. age, gender; hiking interest, shoe brand preference). In this manner, customers 
could opt out of certain actions relating to certain interest areas, but could opt in to others 
(e.g. to receive direct mail marketing for running shoes). 

FIG. 3 is a diagram showing an alternative logical model of the secure data 
warehouse 102 with more fine-grained opt-ins and opt-outs. In this embodiment, each 
class of privacy preference is applied separately to each category of data (e.g. 
demographics), or down to each specific data item of personal data (e.g. age, gender, 
hiking interest, or shoe brand preference). For example, consumer Bill K. Jones may elect 
to allow his name to be accessible for some purposes, but not others. These limitations can 
be selected by entering the proper combination of flags for the entries in columns 302-3 10. 
Similarly, columns 3 12-320 can be used to specify the privacy preferences with regard to 
the storage and/or use of Mr. Jones' name. The preferences defined in columns 3 12-320 
may be different or the same as those described in columns 302-3 10. The present invention 
also permits the expansion of the foregoing security preference paradigm to a system of 
multiple fine-grain preferences, based upon more detailed customer preferences. For 
example, direct marketing could be broken into separate privacy preferences for contact by 
telephone, direct mail, electronic mail, and a catchall for "other" action. Further, the scope 
of the direct marketing could be specified so as to permit only a single contact. 

In an alternate embodiment, the security and privacy protection features of the 
extended database 106 and dataview suite 108 are further enhanced with the use of data 
encryption. This may be performed by encrypting the data in a given row with an 
encryption code, or by providing each data field with a unique encryption number. 
Alternatively, the data may be encrypted at different hierarchical levels of security so as to 
enforce the privacy preferences of the consumer. 



Ml) 000-148924 

-!<]-. 

t 

In one embodiment, encryption techniques are used on any identifying field, and 
selectively applicable on a row basis. This technique allows customers to remain 
anonymous (e.g. for data mining purposes), but could allow for positive identification for 
those applications or data requestors that have data encryption rights. 

Operation of Dataviews 
The dataviews in the dataview suite 108 of the present invention generate SQL 
statements that selectively pull appropriate columns and rows from the base tables into the 
result table. Compared to conventional techniques (which materialize entire tables before 
narrowing the data down to a view subset), this technique reduces the processing required 
to present the data to the data requestor. 

Audit Interface 

The owner of the database or an independent auditing service such as BBB 
ONLINE, TRUSTE, PRICE-WATERHOUSE, TRW, DMA, or CPA WEBTRUST, or 
NCR may inexpensively run periodic or complaint-driven reviews of the installation. These 
reviews examine the logical data model and database schema, applications and users that 
exist for the system, and a TERADATA access log. 

The logical data model review examines the dataview structure to confirm the 
existence of "Standard" Views for Normal users (restricting access to personal 
information), "Anonymizing" Views for analytic applications, and a Opt Out" Views for 
other applications. 

The applications and user review examines applications and users and the access 
rights that have been granted to them. This review confirms that "Class A" privileged 
applications/users have access rights to the "Persona Data" dataview, that "Class B" 
analytic applications/users have access rights to "anonymizing" dataviews, that "Class C M 
action-taking applications/users have access rights to "Opt-out" views, that applications 
that create output tables or files of personal data have access rights to the "Opt Out" and 
"Anonymizing" Views, and that other applications use the "Standard" View. 
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Finally, the TERADATA access log or similar log from another database 
management system is reviewed to assure that the access activity that has occurred 
complies with the privacy parameters set forth by the data source. 

FIG. 4 is a diagram presenting an overview of the operation of a privacy auditing 
features of the present invention. Whenever a data requesting entity desires access to data 
in the extended database 106, a request is made to the database management system 
interface 109 which controls access to the data within the database tables in accordance 
with privacy parameters. Using a dataview provided from the dataview suite 108 to the 
requesting entity in accordance with the requesting entity's status as described herein, 
extended database 106 table is accessed, and the data is provided. At the same time, the 
database access (or attempted access, if the access is unsuccessful) is logged in an access 
log 402. Access log 402 includes information regarding the type of access or attempt, the 
text (SQL) of the request resulting in the access, the frequency of access, the action 
requested, the name or identification of the requesting entity or application, and the 
referenced objects (tables, dataviews, and/or macros). The access log 402 permits all 
accesses to the dataviews in the dataview suite 108, macros in the macro suite 1 1 1, or to 
base tables in the extended database 106 can be audited. All activities granting or revoking 
access privileges can be audited as well. This is made possible because the access log 402 
contents and the table/dataview/macro definitions allow a determination of whether the 
privacy rules have been enforced or broken. 

Privacy audit module 1 1 8 is provided to perform a privacy analysis of the data in 
the access log 402 to validate enforcement of the privacy parameters. The privacy audit 
module 1 18 traces all events related to privacy, summarizes activity relating to the access 
to personal data, and flags any suspected breaches of privacy rules. Privacy test suite 404 
comprises programs and other procedures that attempt to "break" the privacy rules, and 
then examine the access log 402 to determine if privacy rules were enforced or breached. 
The privacy audit module 1 1 8 can be tailored for use by third party auditors who conduct 
an independent assessment of the enforcement of customer privacy preferences, or by for 
use by the data warehouse manager. 



( 43 ) ¥flM 2 0 0 0-1 4 8 9 2 -1 

Metadata Services 

Metadata services include a privacy metadata subsystem (PMDS) extension 1 14. 
The PMDS extension 1 14 stores and tracks a number of parameters, and uses these 
parameters to track activity relating to privacy. Tracked parameters include: (1) data 
descriptions of all data elements currently in the system (including databases, users, tables^ 
views and macros); (2) data descriptions of internal elements that were source to the 
system; (3) data descriptions of external elements that were source to the system; (4) data 
descriptions of internal elements that were target of the system; (5) data descriptions of 
data elements that were exported from the system; (6) profiles of all users, groups and 
applications and their access rights to the data; (7) logging of events relating to data 
access/update, creation of tables/views/macros, granting/revoking of privileges, changes in 
user profiles, and triggers. 

The PMDS extension 1 14 also stores and manages executable business rules that 
govern the data controller's adherence to privacy and the logging of events relating to 
manipulation of the TERADATA logs (e.g. BEGIN/END LOGGING) or similar logs in 
another DBMS. 

The PMDS extension 1 14 also provides a high-level GUI 406 to for the privacy 
administrator to review and manage privacy-related metadata. This will include a graphical 
representation of the databases and their table/view macro structure for ail customer 
(consumer or data subject) information, and of the associated user/user group privileges. 
The GUI 406 also provides a parameter-driven means of setting up privacy rules and 
generating consequent dataviews, macros, or access rights, based on definitions provided 
by the privacy administrator through the GUI 406. The GUI 406 also provides a facility to 
guide an outside auditor through a review of the site's privacy implementation. 

The PMDS extension 114 also provides a reporting facility, which analyzes the 
contents of the various database and PMDS logs to report on privacy-related activity. The 
privacy administrator may review such privacy reports via an interactive interface or 
printed report. Independent auditors, in conjunction with the privacy administrator, may 
perform their audits with the assistance of such reports. 

The PMDS extension 114 also provides a separate GUI application/utility to 
support consumers in access, review and correction of their personal data and related 
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privacy rules, and may also provide additional logging facilities to provide more details 
pertaining to privacy related events. 

Macros 

Either alone or in combination with the dataviews described herein, macros 1 1 1 or 
stored procedures in the database management system/interface can be used to control and 
log accesses to data. Where macros are used to enforce data privacy parameters, users are 
not given "select" access rights. Instead, users are given the right to access a macro in the 
macro suite 111 that performs the actual data access and logs the event in the access log 
402 for future auditing purposes. Even so, the macros execute against the data through the 
same views that restrict access to opted-out rows and columns. Such macros are especially 
appropriate for recording single-row accesses. 

Data Dictionary 

The data dictionary 408 stores information about the database schema, including all 
tables, dataviews and macros in the system, all macros in the system, all users and their 
privileges (including the privileges of users owning macros). 

Process 

FIG. 5 is a flow chart illustrating exemplary operations used to practice one 
embodiment of the present invention. The process begins by accepting a request for a 
consumer privacy card such as a loyalty card 138 or a smart card 136 from a consumer. 
This can be accomplished via an Internet 126 connection, through a modem 130, a 
telephone 132, or a kiosk or ATM 134. This is illustrated in block 502. Then, the 
consumer is queried 504 for consumer personal information (such as the consumer's name, 
address, and telephone number), and the consumer's privacy preferences as set forth above. 
The consumer then enters the requested information. A customer-unique proxy identifying 
the customer is then generated, associated with the consumer's personal information, and 
stored in the data warehouse 102. This is depicted in block 506. A privacy card, which 
manifests the customer privacy preferences, is then issued 508 to the consumer. The 



(45) ftffl 2000-1 4892 -1 

» ■ 

privacy card may be a smart card with memory and limited processing and I/O capability, 
or may simply be a card with a bar code. 

FIG. 6 is a flow chart illustrating exemplary operations performed to store a 
customer-unique proxy identifying the customer in the data warehouse. First, a proxy is 
generated, as shown in block 602. Then, the generated proxy is stored in the data 
warehouse 102 and the privacy card, as shown in blocks 604 and 605. , 

FIG. 7 is a flow chart illustrating exemplary operations performed to store a 
customer unique proxy identifying the customer in the data warehouse where the privacy 
card is a simple loyalty card with a read-only capability such as a barcode. In this 
embodiment, a pre-stored proxy is read from the card (i.e. the bar code on the card), and 
transmitted and stored in the data warehouse. This is illustrated in blocks 702 and 704, 
respectively. Alternatively, the barcode or other manifestation of the proxy can be printed 
at the kiosk or ATM 134, or by a printer attached to the consumer's computer. 

FIG. 8 is a flow chart illustrating exemplary operations performed in participating in 
a commercial transaction using the privacy card. First, a request for a transaction, which 
includes the consumer's unique proxy, is received from the consumer, as shown in block 
802. The consumer completes the transaction, and the data about the transaction is 
associated the proxy, as shown in block 804. The transaction data is then stored in the data 
warehouse 102 so that its association with the proxy is maintained, as shown in block 806. 

FIG. 9 is a flow chart illustrating exemplary operations performed in using the 
privacy card to manage the consumer's privacy preferences. First, a request is received and 
accepted 902 from the consumer to manage the privacy preferences in the data warehouse. 
This request includes the consumer's proxy, and is typically encrypted to assure security. 
After the identity of the customer is verified 904, the customer can then view, alter, and 
otherwise manage the privacy preferences stored in the data warehouse. 

As described in the foregoing operations, a consumer,may sign up for a privacy 
card at an ATM-like self-service kiosk machine 134 in a retail establishment. The machine 
queries the consumer about various privacy preferences, collects his/her name, telephone 
numbers, and mailing address, and issues a universal privacy card that can be used 
immediately in any participating establishment to gain access to special treatment (e.g. 
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"frequent shopper") privileges, special discounts, and bonus points (e.g. "frequent flyer 
miles"). 

By interacting with the kiosk 134, the consumer is able to trade off privacy for 
special benefits at a detailed level. For example, the consumer can say that they wants a 
particular "junk mail" flyer or catalog, but not another. Or that the consumer is willing to 
be called at home by a particular type of store, or a particular store, but only during certain 
hours. In other words, the privacy card puts the consumer in complete control over what 
data is collected, and what is done with the data. All privacy preferences are changeable at 
any time, with complete assurance by the consumer that the new preferences will be 
adhered to. Furthermore, the consumer does not need to trust every retail establishment to 
follow the privacy preferences - the consumer must only trust the privacy protection 
service bureau that issues the card and tracks the consumer's preferences. Finally, since the 
privacy card works in any participating establishment, the consumer need only carry one 
card and administer one privacy preference profile. 

The foregoing allows retailers to meet the consumers preferences, instead of 
irritating customers with unwanted junk mail, unwanted phone calls, spam, etc. 
Furthermore, retailers are able to save significant cost in avoiding mass-mailings and 
unneeded telephone calls. Lastly, the retailer may perform detailed analyses on the 
shopping patterns of their most loyal customers, without running any risk of violating their 
privacy desires or rights. Coupled with automatic recognition systems, a retailer can even 
sense when a customer enters a retail outlet and determine to what degree that customer 
wants to be greeted by name left anonymous, or whether they prefer help or to walk the 
store uninterrupted. 

Since the foregoing system puts the consumer in charge of their own privacy, with 
assurance that the retailers are unable to circumvent the consumers preferences, there is no 
need for regulatory or legal controls over data mining, junk mail, outbound telemarketing, 

or spam. 

In one embodiment, the privacy card is a smart card with some amount of memory, 
some computational ability, and some software on it. When attached to the smart card 
reader at the retailer's point of sale (POS) station, it generates an id number that is a unique 
customer identification that is different for each retail establishment, but is consistent 
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between visits and between individual stores owned by the same retailer. When plugged 
into a smart card reader in the consumer's home PC, it also generates the same id number 
when the consumer is interacting with the retailer's web site. A third party - the privacy 
protection service bureau, can only do mailing address, telephone numbers, and email 
address the translation between the consumer's id number and their name. Thus, although 
the retailer can track the buying behavior of that consumer, it never knows who the 
consumer actually is. If the consumer was willing to fill in demographic data as part of 
their loyalty card profile, and allow it to be accessible to the retailer, the retailer has access 
to that as well via the privacy protection service. 

When the retailer wished to contact the consumer, either via mail, telephone, or 
email, it must inform the privacy protection service via a computer protocol. The privacy 
protection service's computer checks the most recent privacy profile for that consumer, 
and, if the consumer allows it, forwards the email, sets up the telephone call, or mails the 
flyer to the consumer. 

Alternative Embodiments 

FIG. 10 is a block diagram showing an alternative embodiment of the present 
invention. In this embodiment, two databases are used. The first is an anonymized database 
708, storing anonymized data and pseudonyms associated with the data in tables 706 stored 
therein. The second database is a trusted database 1004, storing tables 1002 relating the 
pseudonyms with customer identification information. In this approach, the customer's 
name is stored separately in trusted database 1004. This database is used by the data 
management system interface 109 to bind the identity of the customer to the pseudonym, 
and hence to the data stored in the anonymized database 1008. The trusted database also 
stores the individual's privacy parameters. 

Client pseudonyms can be provided to the client by the issuance of a loyalty card 
138 or smart card 136, by Internet 126 or on-line communications with a client computer, 
or by other means. The pseudonym can then be used as a proxy for consumer transactions 
(thus keeping any data thus collected anonymous). If desired, different pseudonyms can be 
used for different merchants, or different stores to prevent data mining to ascertain the 
identity of the customer. 
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The customer may elect to allow the collection, use, or dissemination of non- 
anonymous data by selecting data privacy preferences. These preferences are enforced by 
the data management system interface 109, and are provided by the client using the loyalty 
card 138, smart card 136, Internet 136, or other communication/data storage method. In 
one embodiment, an intelligent soaware agent performs data mining functions to examine 
customer patterns and to make data privacy parameter suggestions based on the mining 
results. 

In another embodiment, the separate trusted database 1004 and anonymized 
database 1008 are used in a multi level security privacy system, where the encryption, 
macros, dataviews, and/ or separate database techniques disclosed herein combined to meet 
the privacy requirements of different jurisdictions, for different retail outlets, or to 
accommodate different individual preferences. 

FIG. II is a diagram showing another alternative embodiment of the privacy data 
warehouse. As with the other embodiments previously described, access to the data in the 
database management system 104 is again accomplished via a dataview in the dataview 
suite 1 08, or a macro in the macro suite 111. In this embodiment, a privacy metadata 
services interface 802 comprising the privacy service 150, the client interface module 122, 
metadata monitoring extensions 1 14, and the audit interface 1 18 is also interposed between 
all accesses to the database management system 104. The privacy metadata services 
interface 1 102 can therefore log and control all access to the database management system 
104, the dataviews in the dataview suite 108, and macros in the macro suite 111. 

FIG. 12 is a diagram showing an exemplary implementation of dataviews with an 
interposed privacy metadata services interface. Visibility and access to the data in the 
customer base tables in the database management system 104 is provided by dataviews and 
macros 111. The views into the data are represented by the concentric squares shown in 
FIG. 12. A consumer access macro or consumer view provides the user/consumer with 
access to a single row of the customer database table containing data about that consumer 
or data subject. A system assistant 1202 supports the definition and maintenance of the 
database infrastructure, while a privacy assistant 1204 supports the definition and 
maintenance of the tables, dataviews, macros, user profiles, logs, and audit reports. As 
before, routine applications 1 10A have access to the customer base tables via a standard 
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view 260, analytic applications 1 10C have access via an anonymized view in which data 
that renders the customer identifiable is masked, action (marketing) applications 1 10D have 
access via an opt-out view in which entire rows of customer data are omitted, and third 
party disclosure applications 1 12 are provided with a dataview which presents only 
customers who have opted-in, but does not allow access to identifying data. The opt- 
out/anonymizing dataview can be a separately implemented dataview, or can be 
implemented applying both the opt-out and anonymizing dataviews. 
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1 Abstract 

A method, apparatus, article of manufacture, and a memory structure for 
controlling the collection and dissemination of data stored in a data warehouse is disclosed. 

The method comprises the steps of accepting a request for a privacy card from a 
consumer, querying the consumer for consumer personal information and privacy 
preferences, storing a customer unique proxy identifying the customer in the data 
warehouse, and issuing a privacy card comprising the proxy to the customer. The program 
storage device comprises a medium for storing instructions performing the method steps 
outlined above. The apparatus comprises a means for accepting the request for a privacy 
card from the consumer and for querying the consumer for personal information an privacy 
preferences, such as a kiosk, ATM or internet connection, a data warehouse for storing the 
customer unique proxy, and a means for issuing the privacy card. 
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